Friday, December 26, 2014

Locking Down Fortigate Admin Access

I 'm going to show you a few tips for access controls and for controlling users access for the  firewall administrators on a fortigate security appliance.

One of the job of a firewall,  is for the means of controlling access at the system administrators level. Within the fortigate lineup,  you can control what interfaces that you allows for http, https, ssh,  snmp, icmp or telnet. These are all management type of services or protocols



Please don't use HTTP or TELNET and on a public facing interface. It should not be used at all due to lack of security

To allow just for ssh & ping on the interface named wan1,  we will deploy the following configuration;

config system interface
    edit "wan1"
        set vdom "root"
        set dhcp-relay-type ipsec
        set ip 12.212.22.77 255.255.255.0

        set allowaccess ping   ssh   <----here
        set ident-accept enable
        set type physical
        set alias "WAN public uplink"

    next

You can selectively set what services you allow per interface. On my DMZ interface I have the following ( http-secured ssh and snmp )

config system interface
    edit "dmz"
        set vdom "root"
        set dhcp-relay-type ipsec
        set ip 192.168.11.1 255.255.255.192

        set allowaccess ping https ssh snmp
        set ident-accept enable
        set type physical
        set alias "DMZ main"
    next



Now let's look at some cool tricks within the administrators settings. You can define time-based schedules for when a particular "admin" can actually login .

1st you set a firewall recurring schedule and then apply that per administrator account.

config firewall schedule recurring
    edit "always"
        set day sunday monday tuesday wednesday thursday friday saturday
    next
    edit "WORKWEEK"
        set day monday tuesday wednesday thursday friday 

        set end 17:00
        set start 09:00

    edit "MAINT-WINDOW1"
        set day   tuesday   thursday 

        set end 03:00
        set start 01:00
    next
end



Alternatively,  you can also create one-time schedules in a similar fashion. Great for a single use or for restricting a contractor access.

config firewall schedule onetime
    edit "MYBLOGken"
        set end 18:00 2014/12/26
        set start 17:00 2014/12/26
    next
end


The above will then be applied to a administrator configuration;

config system admin 
    edit  kfelix
            set schedule MYBLOGken
            set vdom root
            set accprofile super_admin 
        end

So now the user "kfelix" will be impacted by the schedule regardless if it's one-time or occurring. This is great for tech-support access or a contractor that has window for conducting his/her work.

I use the one-time  schedule a lot so I can configure and forget. I know after the time window has expired , that the user will not have any further access. Just be very careful on the access you give the user & how you  deploy schedules. You don't what a super_admin access having the ability to reconfigure his/her schedule 


If the user try to access outside of the scheduled time-window, he/she will be rejected;



Next, let's look at admin profiles. This one can create confusion,  but increases the complexity that you many offer for administrator access.

Admin profile are great for assigning read-only access or to allow limited  read/write functions within  the profile that you assign to the admin. You can only ASSIGNED one profile per user account, but you can define numerous account profiles known as " accprofiles ".

Here's a sample of the options in a  profile configuration as shown from the WebGUI;


You control the items above and then apply the profile to the users that your desire. The below profile is what I allow for my security ops team to  look at systems statistics alone



 you can set administrator profiles to be global or vdom




config system accprofile
    edit "tvdom1"
        set scope vdpom  
<---HERE
        set sysgrp read
        set netgrp read
        set loggrp read
        set wifi read
    next
end


Okay for the last grand finale event, ipv4 or ipv6 trusthost can be applied for each "specific" user account.  This allow you to allow remote users access based on the "sourced ip_address"

Look at the following examples for the users;

config sys admin
 edit "user1"
        set trusthost1 10.10.80.12 255.255.255.255
        set accprofile "myadmingroup1"
        set vdom "root"

        set password  blahblahblah
       next 
edit "user21"
        set trusthost1 10.10.80.12 255.255.255.255

        set trusthost2 10.10.90.0  255.255.255.0
        set accprofile "myadmingroup1"
        set vdom "root"

        set password  blahblahblah
       next 
edit "socuser1"
        set trusthost1 10.10.80.12 255.255.255.255

        set trusthost2 10.10.90.0  255.255.255.128
        set trusthost3 73.26.220.1 255.255.255.255
        set trusthost4 10.10.0.0  255.255.255.248
        set accprofile "mysocusers"
        set vdom "root"

        set password  blahblahblah
       next
edit "socuser"
        set accprofile "limited"
        set vdom "root"

        set password  blahblahblah
       next

All of the above users accept the "socuser" will be matched at the L3 source address. If you don't match the trusthost address or range, your login will not succeed. In all case the set  accprofile<named>  will be applied for each user.

Hands down, the fortinet security appliance works with flexibility and access controls. No other security firewall product allows for controls to this degree.


Key points to take away;

  •   by the applying administrators account profiles , you can control advance read/write access to various systems objects ( firewall policies, logs, system information, ips, etc....)
  •   schedule can be crafted but must be applied the CLI  level for users ( by default no schedule is applied or the general anytime/always is applied )
  •   trusthosts or ip6-trusthost (ipv4/ipv6 )  can really help control access at the network layer ( based on source )

 with time based schedules make sure you use ntp and ensure that your firewall is ntp synchronize. You can use the  get system status and diag sys ntp commands to validate time and if ntp time-sync is enabled




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(   *  * )=
         o 
        /  \



No comments:

Post a Comment